Global Privacy and Cybersecurity Law Updates and Analysis

On January 6, 2012, the United States District Court for the District of Massachusetts granted Michaels Stores, Inc.’s (“Michaels”) a motion to dismiss against a customer-plaintiff who alleged that Michaels’ in-store information collection practices violated Massachusetts law. Although the court ruled in Michaels’ favor, it found that customer ZIP codes do constitute personal information under Massachusetts state law when collected in the context of a credit card transaction. The plaintiff’s class action complaint alleged that “Michaels illegally requested customers’ ZIP codes when processing their credit card transactions in violation of” Massachusetts General Laws Chapter 93, Section 105(a) (“Section 105(a)”). Specifically, Section 105(a) states that “[n]o person, firm, partnership, corporation or other business entity that accepts a credit card for a business transaction shall write, cause to be written or require that a credit card holder write personal identification information, not required by the credit card issuer, on the credit card transaction form.”

As we reported in October 2011, New Jersey courts also addressed this issue and provided conflicting rulings as to whether ZIP codes are considered personal information. We also previously reported on the California decision in Pineda v. Williams-Sonoma Stores, Inc., in which California Supreme Court held that ZIP codes are “personal identification information” under California’s Song-Beverly Credit Card Act.

According to the Massachusetts court, a ZIP code constitutes personal identification information in a credit card transaction because, “[t]he ZIP code may be used (in conjunction with other data) to identify a specific individual…[i]n this way, the input of a ZIP code during a credit card transaction is the equivalent to the input of a Personal Identification Number…in a debit card transaction.” The court explicitly distinguished its reasoning from that of the California Supreme Court in Pineda, noting that the legislative history of Section 105(a) indicates that it was intended to be narrower in scope than the California law because Massachusetts legislature was concerned about preventing fraud, not about merchants attempting to locate their customers addresses.

The district court also held that Michaels’ practice of entering the plaintiff’s ZIP code, combined with her credit card number and name, into an electronic card terminal, violated Section 105(a)’s prohibition on “[writing] personal identification information…on the credit card transaction form.”

Although the court found that the plaintiff had sufficiently alleged a cause of action under Section 105(a), it ultimately dismissed her complaint in its entirety because she failed to demonstrate a causal connection between Michaels’ “deceptive act” and any cognizable injury.

ATTORNEY ADVERTISING. Case results depend upon a variety of factors unique to each case. Case results do not guarantee or predict a similar result in any future case. Unless otherwise noted, attorneys not certified by the Texas Board of Legal Specialization.

About our Global Privacy & Cybersecurity Practice Group

Hunton & Williams’ Global Privacy and Cybersecurity practice helps companies manage data at every step of the information life cycle. The firm is a leader in its field and for the fourth consecutive year has been ranked by Computerworld magazine in a survey of more than 4,000 corporate privacy leaders as the top law firm globally for privacy and data security. Chambers and Partners also rated Hunton & Williams the top privacy and data security practice in its Chambers Global, Chambers USA and Chambers UK guides.